The Green Sheet Online Edition
October 26, 2009 • Issue 09:10:02
Cloud security, a weighty issue
Just as travelers must submit to screening and identity checks at the airport in a post 9/11 world, credit card transactions need heightened verification and security. Think homeland security for terminals; these safeguards came in response to security breaches and are designed to protect cardholder data. While security procedures can't guarantee our safety when we fly or use our payment cards, they can minimize risk.
The PCI Security Standards Council is a global forum established by American Express Co., Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. The council designs, promotes and enforces industry best practices for the transmitting, processing and storing of cardholder data.
Compliance standards regulate how to build and maintain secure networks, protect cardholder data, manage vulnerability, implement access control measures, monitor and test networks, and maintain information security policies.
With the July 1, 2010, deadline approaching for the implementation of Payment Card Industry (PCI) Data Security Standard (DSS)-compliant payment applications at all merchant establishments, there is a growing sense of urgency about understanding PCI and finding safe, cost-effective ways to implement it.
As businesses shop for validated applications and compliant hardware, many merchants are receiving contradictory advice. Some are being told they need to upgrade their equipment, which is not always the case. Others are being charged additional dues and assessments by their processors, regardless of whether or not their systems are compliant.
Even merchants who follow regulations to the letter, file timely Self-Assessment Questionnaires, and pass all screens and audits can still face losses and penalties if hackers break into their systems and gain access to cardholder data. So, in effect, noncompliance can be retroactive.
All of this makes outsourcing data security attractive to business owners, both large and small. They are increasingly migrating to cloud computing as a green alternative to building or maintaining their own secure networks.
Cloud computing is a collection of virtualized information technology (IT) resources available on demand, either by subscription or single use, and accessible on the Internet. Factors attributable to the viral growth of cloud computing are: flexibility, scalability, automatic updates, accessibility and freedom to focus on core business.
Will card processing "up in the cloud" protect merchants from penalties or fines if they process a fraudulent credit card or compromise cardholder data? No, because the incidents would still be attributable to a specific merchant identification number and bank relationship. The value proposition of using cloud computing to process credit cards is that it saves time and money.
Merchants don't have to invest in updating existing infrastructure (which can include servers, networks, card readers and storage) to meet industry security standards.
Larger merchants are increasingly walking away from the sunk costs of these older legacy systems and embracing the new cloud paradigm: flexible, scalable networks with an array of value-added content managed by remote servers that will grow in direct proportion to merchant requirements.
Security in cloud computing is a topic of vigorous debate in the elite circles of PCI DSS Qualified Security Assessors (QSAs). One such expert is Andrew Hacker, who has provided strategic guidance to the IT and security industries for more than 15 years.
As Director of the Information Security Practice at Mindteck, Hacker has observed that the greatest challenge in regulating cloud computing is that "the security controls that you have in place in the physical world go away when you go virtual."
Hypervisor is a newer technology architecture designed to manage multiple virtual machines that can coexist on a single hardware server without disrupting each other. However, the fact of their coexistence can be a concern to security analysts tasked with creating new rules for security in the virtual world. A QSA's scope is based on segmentation properties and, as Hacker commented, "How do you define what segmentation means in a virtual environment? The industry still needs to define these controls."
Defining segmentation is just one facet of determining how to identify and regulate remote access points, which is the larger challenge facing security professionals as the global business community increasingly migrates to outsourced, thin client solutions.
While there is widespread disagreement on approaches to regulation, consensus is growing that this is a prioritized work in progress because cloud computing represents the future of information technology.
Builders versus breakers
Security analysts usually fall into two distinct camps. They are builders or breakers, according to Mark Curphey, a Security Analyst and Manager of Microsoft Corp.'s Application Consulting & Engineering Team in Europe. Builders usually represent the glass as half full in IT matters, while breakers see the glass as half empty and are intent on exposing weaknesses and failures in IT approaches.
A full copy of Curphey's article, "Tomorrow's security cogs and levers," can be found in Beautiful Security: Leading Security Experts Explain How They Think, a compendium of views on security industry trends published by O'Reilly Media, Inc. It is also available at http://securitybuddha.com
Curphey, a self-described "builder," is so confident in the continuing evolution of cloud computing that he envisions accompanying security systems to also be cloud-based in design. He points out that some companies have already outsourced their IT security to companies like VeriSign Inc. and Secunia.
Security analysts in the breaker camp are most concerned about security and privacy issues that may arise when companies rely on third parties to manage IT infrastructure, processing systems and critical business data.
According to its Web site, The Electronic Privacy Information Center was created in 1994 to "focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values."
EPIC recently filed a letter of complaint with the Federal Trade Commission against Google concerning "privacy and security risks associated with the provision of 'Cloud Computing Services' by Google Inc. to American consumers, businesses and federal agencies of the United States." Details on this are posted at http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf.
Whether you side with builders or breakers on the contentious topic of security in cloud computing, it's clear we'll have to figure this out; many merchants are already on board, and the plane is taxiing down
Dale S. Laszig is a writer and payments industry executive with a diversified background in sales and marketing. Her company, DSL Direct LLC, helps industry professionals and business owners leverage electronic transaction technology. She can be reached at 973-930-0331 or firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.